mirror of
https://github.com/apache/superset.git
synced 2026-05-21 15:55:10 +00:00
3993a04eb0
- Fail closed (return only public tools) when credentials are invalid (PermissionError from bad API key, ValueError from unknown dev username); fail open only when no auth source is configured at all - Extract _get_app_context_manager() to module level in auth.py so RBACToolVisibilityMiddleware reuses the same context-selection logic as mcp_auth_hook, preventing external g.user from being shadowed - Add RBACToolVisibilityMiddleware to __main__.py stdio entry point via build_middleware_list() to keep all transports in sync - Fix stale patch targets in test_tool_search_transform.py: update superset.mcp_service.server.user_can_view_data_model_metadata → superset.mcp_service.privacy.user_can_view_data_model_metadata - Qualify write tool listings in instructions with "(requires write access)" and add a permissions preamble so read-only users are not confused by tools they cannot call Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>